California Privacy Protection Agency Approves CCPA Amendments on AI and Cybersecurity

CPPA approves CCPA amendments covering AI/ADMT and cybersecurity

The California Privacy Protection Agency (CPPA) Board approved amendments to the California Consumer Privacy Act (CCPA) on July 24, 2025, with a focus on automated decision-making technologies (ADMT) and cybersecurity. The package introduces new compliance obligations for businesses that use AI systems in ways that may create a “significant risk” to consumer privacy, centered on conducting and maintaining detailed privacy risk assessments.

Implementation is staggered. Compliance for the new risk-assessment requirements begins January 1, 2026. Separate provisions specific to ADMT take effect January 1, 2027—giving organizations more time to operationalize inventories, documentation, and governance controls for automated decision-making across products and internal workflows.

• Inventory becomes a gating step: If you can’t enumerate where ADMT is used (credit scoring, hiring, insurance, recommendations, etc.), you can’t reliably determine which processes trigger “significant risk” assessments or meet the 2026 compliance start.
• Documentation burden shifts to engineering: The amendments push teams toward producing defensible artifacts on data usage, model/algorithmic logic, and bias mitigation—work that typically lives in ML engineering, data engineering, and product ops, not just legal.
• Synthetic data governance becomes auditable: The source frames this as a move from best practice to mandatory compliance activity, meaning synthetic data pipelines, provenance, and privacy controls may need to be formalized as part of risk assessments.
• SMBs face a tooling and process gap: Smaller organizations may need to stand up new governance workflows quickly because existing systems may not be structured to support assessment-ready evidence and ongoing updates.